Board Oversight and Cybersecurity - What are the Risks to Your Company?

Does your board exercise proper oversight over cybersecurity risks? Directors and officers have fiduciary duties to protect the assets of their companies. This obligation covers digital assets, including corporate information, applications, and networks. The scope of the obligation is defined, in part, by laws and regulations that impose specific privacy and security obligations on companies.

The report also noted that little attention is focused on risks related to vendor management and observed:

"the low response for vendor management is concerning because it indicates that the privacy and security of data at cloud and software providers and outsource vendors are receiving little oversight."

In comparing findings across industries, CyLab found that the financial sector has some of the strongest privacy and security practices in place, while energy and utilities had some of the weakest governance practices.

The report concludes with a set of recommendations to boards and senior management. These recommendations include:

"Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility."

"Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans."

"Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident."

Data breaches, and loss of user data and other sensitive information, pose significant legal and reputational risks for companies. All companies should ensure that they have the systems and policies in place to manage risks to digital assets. These systems need to be regularly evaluated and properly resourced: this requires top-level attention from senior management and the board.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.